Windows systems have been covertly hijacked by the newly emergent NonEuclid remote access trojan, which features antivirus evasion, anti-detection, privilege escalation, and ransomware encryption capabilities, reports The Hacker News.
After performing client app initialization, NonEuclidRAT — which has been proliferating in the dark web since late November — conducts detection bypass checks and establishes a TCP socket while adding Microsoft Defender Antivirus exclusions and leveraging Windows API calls for process enumeration, according to an analysis from Cyfirma. Aside from sidestepping the Windows Antimalware Scan Interface and User Account Control defenses, NonEuclid RAT also transforms into ransomware, with its ability to encrypt .TXT, .CSV, and .PHP files, the report revealed. "[NonEuclid RAT's] widespread promotion across underground forums, Discord servers, and tutorial platforms demonstrates its appeal to cyber-criminals and highlights the challenges in combating such threats. The integration of features like privilege escalation, AMSI bypass, and process blocking showcases the malware's adaptability in evading security measures," said Cyfirma.
